This patch makes sure that we now handle correctly bytes and native
strings on python 3:
- In python 3, sockets are now taking and returning bytes.
- according to PEP3333, headers should be native strings and body in
bytes.
We were accidentally including partial data when we didn't find the
request line terminating '\r\n'. This changes the check to make sure
we're testing the length after we assert there's no termination.
patch from Djoume Salvetti . address the following issues in gunicorn:
* Gunicorn does not limit the size of a request header (the
* limit_request_field_size configuration parameter is not used)
* When the configured request limit is lower than its maximum value, the
* maximum value is used instead. For instance if limit_request_line is
* set to 1024, gunicorn will only limit the request line to 4096 chars
* (this issue also affects limit_request_fields)
* Request limits are not limited to their maximum authorized values. For
* instance it is possible to set limit_request_line to 64K (this issue
* also affects limit_request_fields)
* Setting limit_request_fields and limit_request_field_size to 0 does
* not make them unlimited. The following patch allows limit_request_line
* and limit_request_field_size to be unlimited. limit_request_fields can
* no longer be unlimited (I can't imagine 32K fields to not be enough
* but I have a use case where 8K for the request line is not enough).
* Parsing errors (premature client disconnection) are not reported
* When request line limit is exceeded the configured value is reported
* instead of the effective value.
Add --limit-request-fields (limit_request_fields) and
--limit-request-field-size (limit-request-field-size) options.
- limit_request_fields:
Value is a number from 0 (unlimited) to 32768. This parameter is
used to limit the number of headers in a request to prevent DDOS
attack. Used with the `limit_request_field_size` it allows more
safety.
- limit_request_field_size:
Value is a number from 0 (unlimited) to 8190. to set the limit
on the allowed size of an HTTP request header field.
You can now pass the parameter --limit-request-line or set the
limit_request_line in your configuration file to set the max size of the
request line in bytes.
This parameter is used to limit the allowed size of a client's HTTP
request-line. Since the request-line consists of the HTTP method, URI,
and protocol version, this directive places a restriction on the length
of a request-URI allowed for a request on the server. A server needs
this value to be large enough to hold any of its resource names,
including any information that might be passed in the query part of a
GET request. By default this value is 4094 and can't be larger than
8190.
This parameter can be used to prevent any DDOS attack.
When the path starts with //, urlsplit considers it as a relative uri
while the RDF says it shouldnt (
http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.2).
While I'm remove unncessary tests on netloc. The path never contains a
netloc or port.
`urlparse.urlparse` splits the url at semicolons and calls it params. Since
the WSGI doesn't have any special treatment for params, they should be
preserved and passed to the wsgi app. Using `urlparse.urlsplit` to
avoid splitting the params.
blocking operation django example (we read a file already on the fs and
recreate another which blocked async schedulers).
While I'm here ease the code of eventlet worker. Just use the convenient
eventlet.serve function which already manage what we do and revert sopme
useless changes in body and header parsing.
